FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 09-23-2011, 07:03 PM
Keith Roberts
 
Default data recovery

On Fri, 23 Sep 2011, m.roth@5-cent.us wrote:

> To: CentOS mailing list <centos@centos.org>
> From: m.roth@5-cent.us
> Subject: Re: [CentOS] data recovery
>
> Keith Roberts wrote:
>> On Fri, 23 Sep 2011, Paras pradhan wrote:
>> *snip*
>>
>>> No. This is a production server and nobody logs in. Very
>>> very restricted.
>>
>> Have you checked all your logs? What ports are open?
>> What CLI tools to format a HDD do you have on the server?
> <snip>
> And then there's the other question: who has *access*, physically, to the
> server? Staff? Have any staff recently been let go? Cleaning people?

Sounds like somebody may have stuck a Linux installation DVD
into the drive, and hit Ctrl-Alt-Del ?

Could something like this happen by accident - ie woops I
hit the wrong machine?

Keith

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 07:15 PM
 
Default data recovery

Keith Roberts wrote:
> On Fri, 23 Sep 2011, m.roth@5-cent.us wrote:
>> From: m.roth@5-cent.us
>> Keith Roberts wrote:
>>> On Fri, 23 Sep 2011, Paras pradhan wrote:
>>> *snip*
>>>
>>>> No. This is a production server and nobody logs in. Very
>>>> very restricted.
>>>
>>> Have you checked all your logs? What ports are open?
>>> What CLI tools to format a HDD do you have on the server?
>> <snip>
>> And then there's the other question: who has *access*, physically, to
>> the server? Staff? Have any staff recently been let go? Cleaning people?
>
> Sounds like somebody may have stuck a Linux installation DVD
> into the drive, and hit Ctrl-Alt-Del ?
>
> Could something like this happen by accident - ie woops I
> hit the wrong machine?

And there's no way they're going to admit it, esp. if they're worried
about their job. Now, if the room is locked, and there's either video, or
key card records....

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 07:25 PM
Paras pradhan
 
Default data recovery

Here is o/p John

Number Start End Size File system Name
Flags
1 17.4kB 134MB 134MB Microsoft reserved
partition msftres
2 135MB 134GB 134GB ntfs Basic data partition
3 134GB 1100GB 965GB Basic data partition

Thanks
Paras.

On Fri, Sep 23, 2011 at 1:06 PM, John R Pierce <pierce@hogranch.com> wrote:
> On 09/22/11 3:48 PM, Paras pradhan wrote:
>> Hi,
>>
>> Need help on data recovery.
>>
>> Suddenly my disk device's geometry has been changed to something that
>> doesnot make any sense. Its a 1.8TB in size and had only one single
>> partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes
>> 130M, 140GB and 10GB.
>>
>> Is there any way to recover data from these newly created disk devices?
>>
>
> Can you share the output of ...
>
> * * fdisk -l /dev/sde
>
> be interesting to see just what these partitions look like in terms of
> the disk layout. * *those sizes sort of correlate with a typical /boot /
> and swap partition
>
>
> --
> john r pierce * * * * * * * * * * * * * *N 37, W 122
> santa cruz ca * * * * * * * * * * * * mid-left coast
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 07:26 PM
Paras pradhan
 
Default data recovery

On Fri, Sep 23, 2011 at 1:32 PM, Keith Roberts <keith@karsites.net> wrote:
> On Fri, 23 Sep 2011, Paras pradhan wrote:
> *snip*
>
>> No. This is a production server and nobody logs in. Very
>> very restricted.
>
> Have you checked all your logs? What ports are open?
> What CLI tools to format a HDD do you have on the server?
>
>>
>>>
>>> Also, is it possible for a trojan program to do this to your
>>> HDD?
>>
>> Are there any know trojan that can change the disk layout?
>
> I don't know of any. What applications do you have running
> on that server?
>
> You say a production server. What type of server - a web
> hosting provider?
>
> What scripting languages do you have running on the server,
> if any?
>
> If you give me an email directly, I might be able to do a
> remote login for you, and some forensics, as that is one of
> my many interests.

Thank you for this. Right now we are running a tool on it to recover the data.

And yes logs have nothing.

Paras.

>
> Kind Regards,
>
> Keith Roberts
>
> -----------------------------------------------------------------
> Websites:
> http://www.karsites.net
> http://www.php-debuggers.net
> http://www.raised-from-the-dead.org.uk
>
> All email addresses are challenge-response protected with
> TMDA [http://tmda.net]
> -----------------------------------------------------------------
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 07:33 PM
 
Default data recovery

Paras pradhan wrote:
> Here is o/p John
>
> Number Start End Size File system Name
> Flags
> 1 17.4kB 134MB 134MB Microsoft reserved
> partition msftres
> 2 135MB 134GB 134GB ntfs Basic data partition
> 3 134GB 1100GB 965GB Basic data partition
<snip>
Looks to me as though someone started to install Windows on top of your
box. This isn't partition data magically changed - best guess is someone
started, then stopped, realizing it was the wrong box they were working
on.

mark


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 07:34 PM
Lamar Owen
 
Default data recovery

On Thursday, September 22, 2011 06:48:07 PM Paras pradhan wrote:
> Suddenly my disk device's geometry has been changed to something that
> doesnot make any sense. Its a 1.8TB in size and had only one single
> partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes
> 130M, 140GB and 10GB.
>
> Is there any way to recover data from these newly created disk devices?

Perhaps. It depends totally on how much has been written to these devices. If anything has been written, you have a problem. If nothing has been written, first back up the partition table, then use fdisk to re-partition with a single partition using exactly the same start and end sectors as you had before.

You will have to find out what the original first sector of the original partition was; this will depend upon a number of factors, such as which version of CentOS we're talking about. CentOS 3, 4, and 5 will probably default to a starting sector of 63; CentOS 6 defaults to a starting sector of 2048. In CentOS 5 and prior you will have to run fdisk with the -u option to set the actual starting sector, as opposed to the starting cylinder; in CentOS 6 fdisk already is set that way, and -u does something different.

There are some recovery tools out there such as testdisk and photorec that don't use the filesystem to do recovery, but look for the raw data instead. There are some other forensic tools, available on specialized distributions like CAINE, Backtrack, and NST, that can help you grab usable data off the drive. But it will not be easy, and will take a long time, especially with that large of a drive. Best thing there is to make an image of the drive and work with it instead of the original drive, though.

Once you have the partition table restored to the way it was, you'll probably have to locate a superblock copy somewhere on the drive. I say 'somewhere' simply because the exact locations of the backup copies vary with the size of the device and the block size used in making the filesystem (for ext2,3,and4 filesystems; if it was a different filesystem you'll have to use that filesystem's tools and techniques).

But you might get really lucky if absolutely nothing has been written to those three partitions; if you get the start sector correct and absolutely nothing has written to any area of the disk except the partition table your filesystem may be in readable shape. And I mean readable; only attempt read-only mounting of such a filesystem.

It's usually a good thing to keep a backup of the partition table and bootloader areas (typically the whole first cylinder-equivalent, up to the start of the first partition) for just such an emergency.

As to how this might have happened, a miskeyed 'dd' or 'fdisk' by someone can easily do this. Making a new filesystem on the raw device instead of the partition can do that, too. Look in .bash_history (assuming bash) and any audit logs you might have to anything dealing with that device.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 07:43 PM
Lamar Owen
 
Default data recovery

On Friday, September 23, 2011 03:25:10 PM Paras pradhan wrote:
> Here is o/p John
>
> Number Start End Size File system Name
> Flags
> 1 17.4kB 134MB 134MB Microsoft reserved
> partition msftres
> 2 135MB 134GB 134GB ntfs Basic data partition
> 3 134GB 1100GB 965GB Basic data partition

Uh, that's GPT. What version of fdisk did you use to generate that output?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 07:44 PM
Paras pradhan
 
Default data recovery

On Fri, Sep 23, 2011 at 2:43 PM, Lamar Owen <lowen@pari.edu> wrote:
> On Friday, September 23, 2011 03:25:10 PM Paras pradhan wrote:
>> Here is o/p John
>>
>> Number *Start * End * * Size * File system *Name
>> * *Flags
>> *1 * * *17.4kB *134MB * 134MB * * * * * * * Microsoft reserved
>> partition *msftres
>> *2 * * *135MB * 134GB * 134GB *ntfs * * * * Basic data partition
>> *3 * * *134GB * 1100GB *965GB * * * * * * * Basic data partition
>
> Uh, that's GPT. *What version of fdisk did you use to generate that output?

Thanks for your detailed suggestion. Yes thats a GPT .. the o/p is from parted.

Paras.

> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 07:59 PM
Keith Roberts
 
Default data recovery

On Fri, 23 Sep 2011, m.roth@5-cent.us wrote:

> To: CentOS mailing list <centos@centos.org>
> From: m.roth@5-cent.us
> Subject: Re: [CentOS] data recovery
>
> Paras pradhan wrote:
>> Here is o/p John
>>
>> Number Start End Size File system Name
>> Flags
>> 1 17.4kB 134MB 134MB Microsoft reserved
>> partition msftres
>> 2 135MB 134GB 134GB ntfs Basic data partition
>> 3 134GB 1100GB 965GB Basic data partition
> <snip>
> Looks to me as though someone started to install Windows on top of your
> box. This isn't partition data magically changed - best guess is someone
> started, then stopped, realizing it was the wrong box they were working
> on.

If it's a production box in service, and this has
happened to it, How can it still be running?

Keith

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 08:05 PM
 
Default data recovery

Keith Roberts wrote:
> On Fri, 23 Sep 2011, m.roth@5-cent.us wrote:
>> From: m.roth@5-cent.us
>> Paras pradhan wrote:
>>> Here is o/p John
>>>
>>> Number Start End Size File system Name
>>> Flags
>>> 1 17.4kB 134MB 134MB Microsoft reserved
>>> partition msftres
>>> 2 135MB 134GB 134GB ntfs Basic data partition
>>> 3 134GB 1100GB 965GB Basic data partition
>> <snip>
>> Looks to me as though someone started to install Windows on top of your
>> box. This isn't partition data magically changed - best guess is someone
>> started, then stopped, realizing it was the wrong box they were working
>> on.
>
> If it's a production box in service, and this has
> happened to it, How can it still be running?

And if it *is* a production box, then you know *exactly* what time it
stopped working, and you can find out who was around.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org